Jump to content
Sign in to follow this  
alejandro.castilllo

XSS

Recommended Posts

alejandro.castilllo

Hi everyone,

I just finished going through Module 4: XSS in the Web Application section. Feeling adventerous, I decided to go out and see if I could try some. I found a website on the net that allows you test your XSS skills. Its pretty basic in nature, but it does its job none the less. I tried using some of the techniques I learned throughout the course and some of the puzzles left me dumbfounded.

Vulnerable Site:

http://xss.progphp.com/

I managed to get through three of the fifteen or so puzzles. So I am feeling a bit intimidated about taking the cert. I also feel a little bit unprepared. So I went to go look for the answers and I found this website, which you will see below.

Solutions for vulnerable Site:

http://bl0g.yehg.net...http://bl0g.yehg.net/2010/11/scanners-are-scanners-humans-are-humans.html

I've read the answers and the answers make sense, but I don't know how they got to some of the answers. I also don't feel like the material was covered in the course. Does anyone know where I can get some addition material to understand XSS? or can someone explain what type of methology was used to derive those answers? After viewing the module, I feel like I should know this. (v.v) Unfortunately, I don't and any help you can lend would be greatly appreciated.

Share this post


Link to post
Armando

If you provide more specific queries as to which exercises you didn't understand, we might help.

Also, XSS is the exploitation of script injeciton. How you exploit the vulnerability is up to you and has nothing to do with the nature of the vulnerability itself. Once you know the three different types of XSS's, you can build any kind of payload. The course cannot show all of the exploitation codes as if it was to say I'll show you all the payloads that you can ever think of when you exploit an RCE. They are infinite and it's up to the situation/goal you want to reach.

The XSS module aims at demonstating what it is, how you find and how you exploit XSS's.

Let me know

Share this post


Link to post
alejandro.castilllo

Thanks for replying prompting Armando. I really appreciate it. After reading your post , re-reading those comments from others and doing a little research, I managed to come across a few tools that allowed me to edit the GET/POST Headers and I was able to solve some more puzzles. I listed my results below, but I guess I am having a little bit of trouble finding places as to where to place my payload specifically places like xss4 and xss9 as they don't really give back any feedback. Other times, I am left wondering how they knew to double encoded it in URL.

I managed to solve and understand :

xss1 - simple text box insert

xss2 - edit cookie with FF Tamper Data plugin

xss3 - edit referer in Get header using FF Tamper Data plugin

xss5 - edit back function using FF Tamper Data plugin

xss6 - edit X-Forwarder-For using FF IP Spoofer

xss8 - finish input query

I could not solve or understand the following:

xss4 - I could not find a place to insert code.

xss7 - could not find a way to edit xss7.html text without making my code look like text. Tried URL encoding and plain javascript.

xss9 - don't know where to start, no variables in headers , url and no feedback on page.

xss10 = it looks like there might be a php stdclass does this mean I have to use PHP?

xss11 - I'm wondering how the person arrived at the conclusion, i could reproduce it. But why bar and not foo?

xss12 - same

I feel like i still need practice so I will be testing my XSS knowledge against Damn Vulnerable Web App before I move on to eLS backtrack website. Cause at the moment I don't feel like I know XSS. But like with all things a little practice a little guidance and there is nothing that can't be learned smile.gif

http://www.dvwa.co.uk/

UPDATE: I am happy to report that I go through XSS reflected low and medium. But level 3 hard, is for all intense purposes hard. (^_^) Its okay it has a clearly label input box. All I have to do is figure out a way to bypass htmlspecialchar.

Share this post


Link to post
alejandro.castilllo

I wasted to much time yesterday trying to xss the third level of security in dvwa, so I have given up. I looked for the answer and it seemed like a member of the forum at dvwa could have saved me a lot of time. According to the forum, level three is what secure code should look like. Thus it may not have been implemented to be hacked. But I happy to say that the techniques covered in this course made security level low and medium easy to xss =)

I also tried to do some xss on the elearnwebsite that was included in the iso, but I failed at it. But I did notice that it talked to a backend database. So I will now move onto module 5 before I give it another go.

Share this post


Link to post
Armando

While I look into those exercises (challenges are always cool :)), I'd like to point out that the XSS's in the exam application are not meant to be difficult to exploit but difficult to find. Exploitation can be a determined payload that you will have to determine according to the situation. How to find it is what matters most, in my opinion, during a pentest.So make sure you perform your checks for all the channel in every script that takes user input.

Share this post


Link to post
alejandro.castilllo

Thanks Armando! That makes me feel a little bit more comfortable with the exam. I was thinking since this was dubbed the CEH killer, it was meant to be far more detailed and difficult, but its nice to know that the difficulty is not in the exploitation , but the in finding it. I can't wait for the weekend so that I could move on to the next modules.

While I look into those exercises (challenges are always cool :)), I'd like to point out that the XSS's in the exam application are not meant to be difficult to exploit but difficult to find. Exploitation can be a determined payload that you will have to determine according to the situation. How to find it is what matters most, in my opinion, during a pentest.So make sure you perform your checks for all the channel in every script that takes user input.

Edit: Let me know how those exercised turn out. I'm still having trouble xss those links.

Share this post


Link to post
Armando

Yeah, I'm gonna take 20 minutes to give a look at those challenges.

Also, yes, make sure you find all the vulns, exploit them and report them correctly (correct name, correct impact, correct remediation tips). It seems "simple", but still more than 50% of our students fail their first attempt.

Share this post


Link to post
Armando

XSS 4 was meant to have an injection in the Referer.

Actually I'm wondering if you have attacked the website with Burp in the middle.

With Burp I was able to manipulate the header and understand that the Referer header was used to perform a redirect. This redirect happened putting the user input (taken from the Referer header) into a Location header.

So the Referer header is the injeciton point.

Share this post


Link to post
Colo_Joe

Alejandro,

I very much appreciate the sharing of the test XSS website. I am having difficulty with XSS and I do not have a we developer background so my learning is going slow.

Have you had more luck with solving the XSS tests? I haven't had much luck with them, but have learned a bunch with the answers you have posted. At current the website you linked for the answers is gone, and I haven't had any luck looking on the web. Any chance you could post some pointers on the tests? Anything to get me going in the right direction would be greatly appreciated.

Share this post


Link to post
Armando

Colo, please post your questions in regards to XSS and I will have them answered.

Also we are doing a few XSS exercises that will appear in our upcoming project

Share this post


Link to post
Colo_Joe

Colo, please post your questions in regards to XSS and I will have them answered.

Also we are doing a few XSS exercises that will appear in our upcoming project

To be honest my questions were in regards to the website Alejandro posted earlier:

http://xss.progphp.com/

I was able to follow the questions and answers provided in the tutorials on the site up to XSS6, but for the tutorials XSS7 through XSS13, I am struggling.

The biggest hurdle I have is knowing where to start. I am not able to find a vulnerable starting point in XSS7-13, (i am not even sure if all the pages are working properly).

I would rather a point in the right direction than be given the answer if possible.

I have used burp, spider-ed the page, looked for parameters, looked for vulnerabilities in the headers, tried to edit cookies, tried inserting HTML tags, and tried searching the web. Unfortunately I have not been successful and am lost. I am planning on picking up a book in Web development and XSS, as all of this is very new since I have zero development (web, programming, etc) in my background. (Wish I paid more attention to the programming classes in college!)

I have made much progress in learning about XSS using DVWA as advised by the course material and Alejandro, and hope that I will be able to come back to these XSS tutorials with some new techniques.

If there is more information I can provide please let me know.

Share this post


Link to post
TBone

Hi All

I signed up to e-learnsecurity a while ago and must admit haven't really mentioned anything on this forums, however I do intend to get more involved from now onwards :)

Anyway, I have had a look at these and I would agree with the comments on this post. I didn't get to view the answers from the initial website posted but do questions 6 and beyond even have inputs? You can happily amend any responses of all the requests, however this is certainly not valid XSS if you amend the responses or am I missing something?

The answers I have so far for each exercise are as follows:

1. Standard insert into the text box

2. Edit either the cookie or the user-agent header

3. Edit referer in GET Header Request (Response gets encoded)

4. Edit referer in POST Header Request (Response gets encoded)

5. Edit back function (Response gets encoded)

6. Edit IP with X-Forwarder IP Spoofer

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
×